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AUTOMATED PROVISIOMNG SYSTEM 
B ACKCaOUND OF TEBE INVENTION 

The invention relates generally to an Automated Provisioning System (APS systOTi) 
which is Edited to centralize and automate infonnation management for online 
s^ces. 

When new personnel or users are first allowed access onto an online service; 
which m^ be provided by service providers such as Telecommunications Companies 
(Telcos), corporations or enterprises, for example businesses or o£Gces having their 
own internal online services, the new personnel or users have to go through a 
registration routine in order to enable them to use the online service. The registration 
routine involves the new user providing information, such as an identity code; to a 
central point so that each time the user logs onto the service, then thdr details are 
verifiied and the user is permitted by means of an ^propriate identity code, to access 
pre-defined parts of the service. The user on registration win have been g^en 
pennisdon to acc^ ceitmn parts of the online system according to the level of access 
that they require. For the customer of a s^vice provide the levd of access wiD be 
determined by the service that has been assigned as a result of completing an online 
r^istration fomt For example a customer responds to a promotion that has been 
distributed by a service provider and registers for the online service via the internet. For 
ah employee of a company the levd of access may be det^mined by thdr po^on in a 
company and the work that they are required to perform. For exan[q)le, the managing 
director of a conq)aiiy is likely to be allowed access to all services, ranging from 
accoimting, to p^somid and company strategy. In contrast a secretary may have access 
oviy to services or information that he needs to actually woric on and will be denied 
access to other parts of the online services system. 

Further, in organisations vMdtx are located on a nimober of oflBce sites, it m^ 
be necessary on registration to specify the exact location of that en[q>loyee within the 
orjganosation, for example if they are located at ^e A or ^e B because the employee 
will be registered as using a particular conq)uter terminal at a particular site. Howeva*, 
if that enctployee is rdocated in the oisanisation and is moved to another oflSce ^e, a 
re-registration procedure must take place to take account of that rdocation to another 
o£5ce and tenninaL Tliis means that on rdocation, there wiH be a dday in the 
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individual recoinmMidng woik as a result of the need for there to be a re-r^stration 
procedure to enable the individual to use the computer network once they have moved. 
This win result in a reduction of the effidaiqr of the individual, which in turn will 
reduce the productivity of the organisation. Further, with sudi systems it is necessary to 
have a department in the orgamsation ^ch is defeated to the manual iiprt of data 
about individuals in that organisation that are uang the computer lirtwork and v^ere 
those individuals are located. Also a syston has to be set iq> to track and momtor the 
movement of individuals in the organisation, and the costs associated widi such 
departments and tracking systems, with the inaease in personnd needed, increases the 
costs of running a computer network witlun an organisatioiL 

Accordingly, there is a need for an APS ^an v**i«di fedlitates the r^d 
deplqyment of new entities onto an online service, which may be an individual or a 
piece of infrastructure sudi as n^ork hardware switches and workstations, and 
software eg. firewalls, operating systems and mail servras. FurAer tiwre is a need to 
reduce costs and improve effidency by the removal of the manual asstg n rne nt of 
registration and tracking processes. There is the need for the fiist and reliable changes 
to infrastructure, togetiiCT with tiie alM% to ejqwnd and integjate e?dsting 
assodated infrastructures. In turn, Aere is 4e need fiw the &d% to consoBdate 
distinct networks, say following an acquiatiM of another network by an orgainsation, 
eg. after the merger of organisations. There is also the need for the automation of the 
traddng and r^stration of user entities from one internet protocol address to aiK>dier, 
wMdi may be controlled by a angle lo^cal repoatoiy for all entity information, 
ther^y making the online service mrae user friendly, fester and more flexible to use. 

Further, in service pnmders who are operating online services on bchaJf oi 
other organisations th«e is tiie need to be able to manage eadi organisation's 
infimnation m a septsate logjcal partition of the angje information rq>oatory and 
appty branding to the administration and r^stration interfaces that are spedfic to each 
oiganisatidn. There is also the need for tiie systems that provide the online services to 
be able to determine the logical partition to be used witiiin the angle repoatory when 
authenticating and authorising users to use the online services 

SUMMARY OF THE INVENTION 

According to the presort mvention there is provided an automated proviaoiung 
system adqrted to use an LDAP or X500 compatible directory eiabled mformation 



repository, the system compiiang a semce manager adapted to interfece with the 
information repository and components of a distributed dectromc system, wherdn the 
infbnnation repository comprises a scalable data modd, wherein the service manager is 
adapted to log on to a directory and interacts therewith to create, ddete, amend and/or 
search for inform^on in the information repository and wherem the data modd 
cornprises domains, winch domains comprise object types of users, services, proffles 
and infi-astmcture, 

and wherdn the data modd conrprises configuration objects, vfbidi objects comprise 
one or more of a profile service configuration otgect, a user service configuraticm 
object and a service infiastructure configuration object, 

sudi that a user is assigned to a profile, yMdti profile is adapted to access a phirality of 
services, vMi^ services run on infiastructure. 

Jn a preferred embodiment, the core components indude an Adnurnstration Inter&ce 
for creation of services and user dcMoains and for the generation of reports and an 
Inteifice Manago- (Story Processor ""O for Ae castration of users of the online 
services and fiar the presentation and collection of information fiom adnunistratars and 
that rdate to the usage of the oiiine services. Togetiier the Service Manager, 
admirristration tool and Litcafiice Manager control the administratian, entity r^straticm 
and reportii^ fimctions of tiie system and can also extend control to indude firewalls 
and application servers, sudi as mail servers and news servers. Even non-directory 
enabled infiiastructure is supported with the use of a mediation fimction. 

The APS systan of the present invention m^ be used with infiastructures that support 
^-in Internet .users. This mdudes pools of modems, networic access servers and 
Authentication Amhorisation Accounting (AAA)/RADIUS sravers. latemet Service 
Prowdds pSPs), NetwoA Service Providers and Application Service Providers (ASPs) 
refy on existing PSTN and ISDN infiastructures to allow dial-in usea:s to connect to 
tiidr NAS devices firom homes and offices; The APS ^stem of tiie present inveittipn 
aims to provide a service based authentication and authorisation to use the system and 
provides a customisable user interfece for subscriber r^g^stratiori, together with an 
administration/hdp dedc The administration int^fece aUovtra tiie senice providws to 
create modify or ddete tixe services that tiiey provide as wdl as providing a fest-did- 
up acc«s to tiie intemd. The APS system also seeks to provide for an automated on- 
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line subscriber self-registration system via a web browser inter&ce. Furfh^ the APS 
system aims to allow for the configuration or reconfiguration of infirastructures with 
new or modified subscriber settings according to the level of access that the subscriber 
require and existing subscribers once regista^ ^^oth the service provider, can 
subscribe to. new services or modify existing services or they can unsubscribe firom 
services. Internet Protocol address as^gnment m^ be used to deliver difiCerentiated 



qualities of s^ce to differeat types of subscribe for exanq)le there may be 
resideotial tiers, bu^ess ti^ corporate tiers which are defined accOTdictg to the levd 
of access required by the subscribe and the status of that subscribe or groiq> of 
subscribe. The RADIUS s^er provides authentication and authorisation services 
using information that has been put m the Du-ectoiy uang the APS syst^ to enable the 
subscriber to access the network and there may also be a provision for the automatic 
revocation of a service after a predefined period eg. afto* the expiry of a subscription 
period to a service provider. The APS system seeks to support \%tual Private 
Networidng (VPN), Virtual Portal and dommn creation with multi-user administrator 
and help desk fedlities. For each VPN, Virtual Portal and domain the APS will also 
apply specific branding to the adnmnstration and registration user inter&ces. 

The APS system of the preset invention may also be used by cable TV 
companies. Cable companies possess a Hybrid Fibre Coaxial (HFC) infi:BStructuFe 
which delivers a high bandwidth communication link into a house, office or 
organisation and the cable connects to a splitter for shared access by multiple devices 
eg. set-top boxes, telephones etc. A cable conq)aiiy may provide a multitude of 
different services to which customs may subscribe eg. home sho];q)]ng services, diat 
services, opinion polliqg services^ news, movie, and sports channel s^ces> call 
waiting, dfiver^on and call barrii^ services etc. 

Tlie APS system , of the invention, in addition to the &dlities it provides for 
Service Providers as discussed also aims to provide the assignment of cable modem IP 
addresses uang Directory enabled DHCP or Directory enabled Bootstrap Protocol 
(BOOTP) and to assign cable modem boot files and appropriate TFTP servers to 
modems to retrieve boot configuration files. Th^ is also the provi^on of a d|ynamic 
link between a cable modem, workstation and the subscriber whidi assists in the 
prevention of thdfts fiom the service as the subscribe can be traced. Further the APS 
features include the provision of support for all MCNS compliant cable modems and as 
for the APS system, aims to allow for browsing and searching of the directory store. 

The APS system of the invention aims to be fiilly extensible to satisfy spedfic 
business requirements, ^ch can range &om the indudon of extra directory enabled 
server components such as RADIUS s^er ccnnponents for an ISP, to an additional 
inter&ce to support an existing or legacy system or workflow and biOizig systems. The 
APS S3^em also aims to support an extensible sdieme for addixig new object types to 
an LDAP/X.500 directory as new types of network infiastntcture are added. 



Also, Ihe APS can be used wWiin enteiprises sudi a corporatKxis cm^ ofBces w simply a 
net«w)ik of tisos vihidi provide intranet, extranet and remote acc«s services to ftdr 
workforce or users. Different roles within an enterprise may necessitate different service 
levds for staff and managonenL Consequentiy an APS system for an enterprise must 
include, in addition to the systems alraidy discussed, rapid registratioii/dqiloymcot of new 
employees and the anocation of IP addresses via DHCP wfaidi can deliver diffei enliated 
dualities <rf service to dififoing communities of entities eg. ftey may provide a home vser 
entity tier or a remote office tier. Ihere m^ be flie provision for d>e automatic revocation 
of a service such as an IP address based on a defined poHcy, vAich may be as long as an 
en^toyee rranains in exapkymoA wHk the enteiprisei for example contract vrorkas. The 
APS features m^ also include wd> browser interfeces access to inteatian uang flie 
Ihteifece Ikfenager, mduding addrrases in iBe by subnet time in use pw address, IP 
address to name assignment, inventoiy information per addnsss and manual suspension airi 

revocation of users and associated IP addresses. 

Ihe APS syston ctf Ae present inventiwi m^ also be used by COT9>anies fox 
iotemet services. Companies wAo offer products or services for sale over fte fatranet 
capture information fiom users regarding the products and services ftey require and the 
mediod of p^eot Aey vwidi to use. The information can be passed to an online billing 
system or to a system whidi wiU dd>it funds firwn didr selected credit card am^aiiy. Ihe 
infwmatioo will also be used to iiBtnict a workflow system to dispatch the product to Ae 
individual or to instruct an online server to provide fllie requiied service. 

BSIEF DESCRIPTION OF TBDB DRAWINGS 
In die drawings: 

figure 1 iDustiates the rdationshq) between die Ihterfece, Inteifece Manager^ Web Server 

Service Manager and rSrectoiy of die APS system accMdii^ to die invention 

Rgure 2 ilhistrates how infonnation is inodded and stored wifliin the APS system 

Figure 4 illustrates die summation of base profiles plus profile extensions 

Figure 5 is a flow diart viddb. illustrates a LAN (local area network) user entity registration 

process using an APS of die invaitifln. 

Figure 6 is a flow chart viaxh illustrates an automated ISP subscriber self registration 
■ process usiqg an APS of the inventicm. 

Figure 7 is a flow chart wtoch flttustrates an automated cable subscribta- sdf r^jstration 
process using an APS of die invention. 



Figure 8 shows an APS system of an embodiment of the invention bdng used with a 
muhi service enterprise infrastructure. 

Figure 9 shows an APS system of an raibodiment of the invaition being used wtth a 
muW service Internet service provider infrastructure. 

DETAILED DESCRIPTION OF AN EXEN4PLARY EMBODIMENT 

The APS system of the invention conqmses a range of contponents sudi as: 

a. A Service Manager 

b. Information Association GUI con4)onents 

c. Information repoatory components, for example, X500 Directories \rfiich include 
Open Directory DX Servers, LDAP servers sudi as Netscape Directory S&ym, 
and Proprietary Directories such as Microsoft Active Directories. 

d. An Inter&ce Manager 

e. A Trigger Server 
f AReport Serve* 
g. A Cookie Server 

L Infrastructure components ^ch include; 
DHCP servCTS 
DNS servers 
RADIUS/AAA servo's 
Cable Modem Head EiKi 
Cable TV Head End 

Application servers such as Mail servers orNciws servers 
Routers 

TrafGc Shaping Devices 

Hrewalls 

PABX 

Certificate Authorities 

The core APS componoit is the Scavice Manager as shown in figure 1, which 
manages and integrates the other components. The Service Manager 5 allows for 
different software interfece components 7a and hardware components 7b to be 
devdoped which can communicate with the Service Manager. The Service Manage* 
has a defined application programmmg inter&ce (API) which allows aistomised client 
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applications to be devdoped. The Intofece Manager 3, will allow for high 
custonusation. The Service Manager S can interface with the administration tool 1 or 
the Ihterfece Manager 3, which in turn can interfece with the Web Server 2. Standard 
COKBA inter&ces 4 allows for an industry standard distributed system, as well as a 
coiiq)rehensive inter-communications architecture and security system. The Service 
Manager 5 pan inchide a directory commumcation l^er \^ch enables the Service 
Manager to work with multq)le directories allowing for deaSi^ with a number of 
aspects at any one time such as M-over and load sharing of requests. The Service 
Manage- can then in turn, be inter&ced with the Directory 10. The service manage 
uses the Lightwd^lit Directory Access Protocol (LDAP) 7 for communication wth the 
Directory 10. The S^ce Manager S, adnunistration tool 1, Inter&ce Manager 3 and 
Directory 10 m^ all redde on distinct machines rurmioig any network operatfaig 
systems that are supported by the APS. Native applications can be developed to run on 
machines that conununicate directly with the Service Manager 5. The Directoiy 10 can 
exist on a distinct server and may not be situated in the same geographical location as 
the Service Manager 5. 

An administration tool 1» is a stand alone program that runs on a coxiq>uter. The 
APS of the mvendon allows application tools to make direct calls to the Service 
Manager 5, bypassing the Inter&ce Manager 3, all togetho-. The APS supports a range 
of interfece mechanisms aUowirig direct access to the Service Manage S and vA^ae 
necessary encapsulates specific details within capabilities of the Inter&ce Mant^. 
This flexibiltty allows APS to ea^ accommodate new inter&ce mechanisms, simply 
by phigg^ng in a new Story Processor such as a HTML Browser 11, or an Applet 
Into&ce if the de^red interftce mechanism is unable to talk directly to the Service 
Manager S. 

The APS inchides a Trigger Server 9 vAidi causes operations such as bu^ness 
rules and workflow to be triggered once an action is logged on the system, for example 
it may include an inter&ce to a legacy billing system which is used to collect and send 
printed bills to a customer as well as wiitii^ the information to the directory sava*. 

The APS also inchides a Ri^rt Server 8 which can cany, out complex searches 
on the system and can rq)ort bade information in a spedfic way according to the 
requirements of the individual requesting that information. 

Also, a Cookie Serya: 6 is inchxded ^ch, holds values that are wiittai t the 
browser 11 by the web server 2 when the Interfece Marker 3 is run. The Cookie Saver 
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holds this information, for exan^le a page number, as a referaice point wWch the user 
can look for when resuming a piece of work on tiie system. The Cookie Server acts as a 
short term p^istent store of up to 24 hours. 

Also, the system may inchide Middleware ^ch enables different types of 
software to commudcate with each other. This is particulaiiy useful as it enables 
hardware from one manufectuier which may be using a certain type of software to be 
int^&ced vntii hardwaie from anoth^ manu&ctur^, whidi may be udng another 
software system. The advantage of this syst^ is that it allows systems to be buih up 
from different pieces of hardware rather than having to have a system comprising 
tmiversal pieces of hardware. 

The APS is My scalable and can support multiple Service Managers 5, 
multiple Web Servers 2 that are assodated with user browsers. Browse are usuaSy 
the primary information management interfaces for the network system. 

Horizontal Scalability caters for an increase in the size of the user base and as 
this increases. Service Managers can be added, with Web Servers bdng load balanced 
to handle the increased load. Akemativety, a six^e Service Manager can be used and it 
can use load balandng to make requests to multiple Directory System Agents. 

The Service Manage may be configured in a high p^ormance configuration to 
enable high throughput of user activity at peak network times and in situations where 
there are high user loads, for exanq>le more than 10000 r^jstrations per day. The 
S^ce Manager 5 uses servlet technology where each individual request creates a 
separate thread of execution. This in5)roves sMver efiSciency via the use of light wdght 
threading models and using faster in-process execution. The Interface Manager 3, 
handles peak loads of requests by queuing re^stration requests to the Service Manager 
S and as requests come into the server, th^ are first stored in a serialised format on the 
server. The qa&xe of registration requests is then processed by the Service Manager that 
acts as a buffa-, until there are no registration requests remaining. 

The Service Manager can support password encryption schemes such as MD5, 
SHA, DES and can provide support for X509 cetificates. Authorisation may be a two 
layer mechanism required for a user-s^vice and a service-infiastructure system. The 
benefits are that authorisation can be managed at a service level. The Service Manager 
ensures network security by supporting secure sockets througihout the syistem. CORBA 
implementations support SSL over HOP thereby ensuring security between the 
CORBA 4 and the Service Manager 5. Leading browsers all support SSL capabilities. 
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The Service Manager 5 can support the notion of Fail over-DSA, which the 
Service Manager can revert to in the event of Directoiy/DSA feihire. The. Service 
Manager can support multiple Inter&ce Managers that conmmnicate with a ^g^e 
Sa^ce Manager and so if the Web Serv^ 2 or Inter&ce Manager 3 feils, the syston 
will still be available. This arrangement allows for multiple Service Manage eadi of 
which talks to one or more DSA. In the event of a Service Manager failing, the overall 
system will still operate udqg the Service Manager(s) that have not failed. If a Server 
fails as a result of load, hardware or software problems, no registration request will be 
lost because these requests are stored in a per^stent form on the Server on which the 
Stoiy Processor reddes. Whm the Service Manager recovers £rom a failure or is 
restarted, it checks whether there are any pending registration requests and then 
processes them if necessary. 

While the APS requires the presOTce of a Directory, such as a LDAP/X.500 
directory, the system is vendor neutral \^ch means that it can be used with a range of 
spedficGonq)onents fix>m difToent manufacture. The APS is extensible to the efi^ 
that if additional pieces of equipment are introduced to the infrastructure, such as 
sofiware infrastructure 7a for example a firewall, application servers, DHCP BootP, 
DDNS and RADIUS or hardware infrastructures 7b such as Lan switches. Routers or 
Gateways, the components can integrate with the management of existhig components. 

The Directory 10 acts as an information repo^ory for information such as 
information about entities which can be defined as any person or piece of infiastructure 
requiring access to a service and an entity's access to these resources is defined by its 
entity base profile plus extensions to that profile. Further information stored by the 
Directory 10 is information about profile policies, which is defined by the services that 
can be supplied by the network, information about the infiastructure conq)onents and 
about domains. Domains are logical partitions, or sub-trees of a single phydcal 
LDAP/X.SOO directory that a remote organisation has devolved authority for For 
example a corporate oi^^sador), such as a multi-national bank may have its own 
domain whidi controls aD the administration of that organisation. Tdcos can provide 
their own dial in services for organisations that do not wish to manage their own 
physical dial in infiastructure. In order to identify and authraticate the dial in user, the 
Telco verifies the users login details such as the user's usemame, password, calling 
number or called nimiber against those stored in the domain for that user. Aldiough the 
APS is responsible for hostirig the domain's of a user. 
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administration of the domwn can be taken on by the user if they wish and this is 
referred to devolved authority of the domain. 

Figure 2 shows how the information is stored by the APS system. Users 14 are 
^ven spedfic profiles 13 according to the requirements that they have for using the 
system. Based on the proffles 13 that have been recorded for the user, tiiat user wiB 
th«i have access to services 12 that are connected to the inftastructure, such as hard 
ware and software 7a and 7b of the system. The sauces 12, users 14, profiles 13 and 
infiastructure 7a,7b intercommumcate way of configuration objects sodi as the lisar to 
service configuration objects X, Profile to service configuration objects Z and service 
to infi:astructure configuration objects Y. The user to SCTvice configuration object 
collates user service attributes provided by sub-dass extenaons of the user profile 
which represents usct spedfic parameters which allow the usct access to swvices such 
as the RADIUS usemame, RADIUS password, POP usemame and password ie the 
mml address and attributes and the WEB attributes which aBow access to the Intemet. 
The profile to service attributes set from the user profiles allow the user access to 
specific service parameters wMdi can be used for fimctions such as marketing* There 
are again the RADIUS, Mail and WEB passwords which allow access to informaticm 
such as lists and numbers of mailboxes of dients to \^cfa the user can send 
information eg. fi^r information about products. The service to infirastructure 
configuration object takes the service attributes provided by the sub class extensions 
and replaces the service parameters so allowing configuration between RADIUS, Mail 
and WEB attributes. This allows the infrastructure to find the service that is required by 
a user based on the profiles ^vea for that user. 

A user entity object will contain at least the user name, password , location of 
the enthy, contact infonnadon, set of profiles for the entity and the authentication 
«q)iry. The profile attribute for an entity contains a reference to a base profile for an 
entity plus, and if applicable, one or more profile extensions. Eadi entity will have at 
least one profile and pos^le more. 

The first profile in the entity's set of profiles is refered to as the base profile 
and additional profiles are known as profile extensons. A first profile may be a base 
profile for one entity but this first profile may also be a profile ^tension for anothw 
entity. It is the core characteristics of an entity which is desoibed by the base profile. 
The profile extensions represent refinraieots to the services that can be mad available 
to the entity. Profile extenaons allow customisation of the service that a particular 
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entity recdves, without having to create an mtirely new profile for that entity and can 
best be conceptualised as fine tuning adjustments to the baac sevice level. 

Entities are granted authorisation to use a service or services by their 
association with entity profiles ie. services are not directty assigned to entities but 
rather profiles are assigned to entities. And at the same time, services are assigned to 
profiles. An entity profile is a list of one or more services which collective defines a 
level of access to an infiastructure. These services become available to entiti^ that are 
assigned the respective profile. A level of s^ce nu^ be ml where access to the 
service is to be denied 

A key benefit of umg profiles is that tiiere will typically be fiir few^ profiles 
than the number of entities, which will amplify the maintenance fimction of assigmng 
SOTices to entities. An example of an organisations entity profile noay be as follows: 
Pre-provisioned Entity Profile - indudes unregistered entity services which provide 
provisional IP to im-proviaoned or pre-provisioned entities allowing access to the 
registration domains only. 

Basic User profile- Includes ba^c-user services eg. mail service 

Administration profile- Includes baacHiser savice and administration services, which 

provides adnnnistration rights to the APS system. 

MobiUty profile- Includes badc-ixser services and dial-in user services 

Hdpdesk profile- Includes basic-us^ services and query services] 

Human Resource profiles- Includes basic-user services and adnunistration services. 

Figure 4 demonstrates the logical summing of a base profile with an extension 
profile, to create a single virtual profile that is an aggregate of the two conoponent 
profiles. Howev^, there is one notable exception to this system and tiiat is when two 
dififerent profiles are in direct opposition to one another and in such a situation, the first 
occurence in the set of profiles is the profile that takes precedence, typically, this will 
be the base profile as it is the base profile that defines ihe core characteristics of the 
level of service that is to be provided for a user. If it is the urtention of the network 
administmtor to override the base profiles, rather than to ^end it, then the correct 
action would be to replace the base profile with the profile extension for that entity. 
The &ct that an entity can have multiple profiles means that it is pos^le for the 
duplication of identical services to occur. This can be seen in figure 4, where both 
profile C and A contain services 1 and 4. As these profiles are identical, they only 
occur once in the logical sum of the two profiles. 
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. - The logical summation of the individual profiles for a given entity is not stored 
within the directory store but a dynamic structure is hdd in the service manager. When 
an entity requests a service, the service manager looks up this logical set of services 
which was created prefoably wbta the entity sesaon he^ns, to establish i^ether tiie 
entity is authorised to gain access to that particular service. 

The use of profile extenaons ^es rise to a mmntenance fimction, whwcby a 
network administrator can periodically check for patterns of use of a certain profile 
extenaon or extensions to enhance a g^ven base profile, vMdi cc»ild enable a user to 
gain access to further services that are offered on a network. A high fi^equeiqr of use of 
a particular profile extension, combmed with a particular base profile would suggest to 
tiie network administrator that a new base profile for an entity whose base profile it is, 
was required which would incorporate the previous base profile and the profile 
extension s^ces that have been used The administrator would then create a new base 
profile and apply it to the Impropriate axttties. 

Services are the logical assodation of difierent pieces of infiBstructure and/or 
existing services, ^ch cooperate to provide the requirements of a particular entity. 
The infiastructure may be the n^ork hardware such as routars, switches, workstations 
or my other type of hardware tiiat tiie APS will man^e. The infrastructure may also be 
applications such as firewalls, mail s^ers, ope^ting systems or any other type of 
software that the APS system manage. 

The services may be abstracted fi'om the physical infiastructure which provides 
the benefits of having a less complex system where in order to conader entity access 
the APS allows the system to consider the infrastructure in broad terms rather then in 
trans of each of the individual components. Also, the APS allows the system to 
recognise patterns in the mfi-astructure requirements by recogniang classes of entities. 
Furtho- the APS allows for the separation of an entity maintenance role from that of the 
infiastructure maintraance role. The use of service inheritance also means that the task 
of creating new services is anq)lified because a network administrator may upgrade a 
new service by ba^g it on the old service and adding fiirther pieces of infirastructure to 
compensate fi)r the defidendes in the old service that w^ noted by the network 
administrator. With service inheritance there is also the feature that a base service may 
not be ddeted vMt Hxete are services tiiat are inherited fit>m it. The system w<nild scan 
existiog services to ensure that there are no services winch are inherited &om a s«vice 
to ensure that no files are ddeted acddentally; The APS will enable an enterprise to 
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create an infrastructure that is available to all en[^)loyees by creating a single service 
called a "user service**. Further a singje levd of service can be provided for all 
employees wbidi is accessed by a single dial-in service. Further if an orgamsation has a 
router wiiidi allows access to the public domain, a service can be created sudi as a 
"gateway service^ vMdk relates to only a single or selected items of infrastructure. All 
other hems can then be accessed separately via a ^general user service". Also, where an 
organisation has a networic administratdr vAiO wishes to take a hands on approach to the 
allocation of network resources to entities and prefers to think in terms of infrastructure 
rather then in services, then a separate s^ce can be created for each piece of 
mfrastnicture. 

APS provides for the devolved authority of the Directory wherd>y a ^gle 
directory may store information sub-trees for multiple organisations or sub- 
organisations wiiich are provided with the &dlity to administer their own private 
logical portion of the physical directory tree, independaitly of the service providisr. The 
APS provides domain administration tools. The APS allows the administration 
inter&ce for the directory owner to create, modify or delete the logical domams from a 
^ng}e physical directory. Also the APS {H^ovides an administFation inter&ce \^toeby 
individual dommn organisations or sub^organisations can administer thdr own 
domains. This includes hxter&ces to add, modify or delete users of a system or for 
reporting from the system. Further users of a g^ven domain organisation or 
suborganisation can also admmist^ thdr own personal accoimts, modify their service 
levd and view their usage and accounting details. 

The APS system allows for the asagnment or preparation of resources for use 
by the entity to whidi the resomxes are assodated. There are two types of assodation, 
firstly associating mtities with services and secondly, assodating services with 
infrastructure. 

Entity to saMce assodation, also known as "immediate assodation" is the 
process \^^ereby the service/services that are specifies in a given entity's base profile 
(plus any extensions of that profile) become available to an entity. This means that 
should an entity require services that are assodated with a particular profile, then they 
have access to request those services. Entity t service assodation incorporates the 
steps of registration, which involves identification and authorisation of an entity, 
followed by authorisaticm for the . entity to use service. 
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R^gjistradon is the process where an entity formally introduces itself to the APS 
system. In tlus process, entity details are gathered and stored within the directory store^ 
^^^ere a unique entry is created in the directory for the entity. This stored information 
can then be quiddyr retrieved by the APS components. For example, a RADIUS server 
may wish to verify a usemame^password combination that has been received from a 
Remote Access Server (RAS) that a us^ of a telecommunications system has dialed 
into to request access to a company LAN, The RADIUS server retrieves the details 
rdadng to that user from the directory store and this includes the password that was 
specified by the user during the registration process. 

As shown in figure 5, typically, every time a LAN user starts up thdr 
workstation, th^ must eiiter a user name, pbs password details in order to be able to 
log on to their LAN. Different operating systems have different security systems for 
iog^g into a systent APS allows for a once only registration process whereby a user 
can log onto a system without constantly needmg to re-authenticate themsdves to the 
APS system. A user, for exan^)le an employee who starts work with and remains with 
an organisation for a certain period of enq>]oyment can maintain thdr APS re^stration 
throughout their employment , without ever needmg to change their service 
requirements. However, an employee who gains a promotion thereby needing a 
different level of service may wish to change thdr configuration, which they can do 
usii^ the APS system of the inventioa 

Registration is a precursor to the provi^on of services and only allows an 
unregistered ^itity DNS access to the registration process itself thereby debarring 
unauthorised users from accessing the network. Rcigistration m^ occur without the 
user making any subsequent request for a service and as mentioned, nu^ occur only 
once for an individual or employee vAio uses the same workstation and whose user 
en&ty is set to infinite. Re^stration m^ also be an ongoing process as in the case of a 
dial-in ISP user as shown in figure 6 or for an automated cable modem subscriber as 
shown in figure 7. Registration presents the availability of services, it does not translate 
directly into actual service requests. It is the information that is stored about an entity 
during the registration process that is xised by the authorisation process to determine 
whether an entity's siQ^ce request wiU be granted. 

In the case of a LAN us^ registration process as shown in figure S. An entity 
request for a service or services initiates the process of entity identification as shown m 
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step numbered 20. The identification process attCTq)t to determine who or what is the 
entity and this is done by comparing infonnation that is part of the s^ce request, with 
mformation that is stored in the Directory such as the LDAP/X.500 Directory, to check 
whether detaOs about the entity that is making the request, are held. 

If an entity logs onto the system that has never accessed the system before and 
no details about the entity are hdd on the Directory, then access to the system is denied 
to the entity. An entity in tMs case would be described as an anonymous entity. This 
situation may arise vAied a new user logs onto the network or when a new piece of 
network infirastructure is logged onto the network or when a new workstation is lo^ed 
onto the network. Taking the case of wh«i a new workstation is logged onto the 
network, the Media Access Control (MAC) address is not recognised by the DHCP 
server , shown by step 21 and so a providonal IP address is assigned to the workstation 
at step 22. The granting of a provisional IP address means that the workstation is im- 
provi^oned and in order to gain access to any network services, the worlcstation must 
be registered by a network admmistrator via a registration inter&ce. 

The entity may have not ever accessed the system before but the system may be 
pre-configured by a network administrator to recognise the entity when they try to 
access the systent For example, a new employee may be due to start work in a few 
days time and before the employee arrives, the adnunistrator may set up a 
usemamc/password combination for that enyloyee. When the employee logs onto the 
system they will be identified as hdng a pre-proviaoned entity shown at step 23 

When an entity makes a service request, the entity is recognised by the system 
that akeady has configuration details about the entity. Jf the entity is successfully 
identified as pre-proviaioned and then provisioned, registration th«i proceeds to the 
authentication process using the Service Manager as shown in step 24. If the entity is 
still recorded as being anonymous, access may be denied to the network or altemativeiy 
will be referred to the registration inter&ce, shown at step 25. 

If the user is allowed access to the system a valid ff address vnH he assigned to 
the workstation in accordance with the user profiles as diown in step 27. The Directory 
and the DNS can be updated with new user entity/machine details, on a continuous 
basis as shown in step 26, which will allow for the valid IP address at step 27 to be 
updated in accordance with the requirements of the us^. 

In figure 6, a similar process occurs, a vtser can dial into an ISP via a riKxiem at 28. 
A NAS servo* provides idortification informatian to a RADIUS ^server at 29 and fte 
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RADIUS server looks in Ae Directory to verify identificatioii details for &at user at 30. 
ff fte user is provisioned, 4e RADIUS server will return an IP address vAnA will provide 
the level of service tiiat a user has been specified by a user profile tiiat is held m die 
DirectDiy at 31. If the user is not provisioned, a provisional IP can be assigned to tiie user 
which allows fte user to browse the registration screen only 32. The user can ihen eoter 
registration details, including details of how fliey will pay for Iheir use of fte requested 
services 33 and die user registration details can then be diecked on &e Diiectoiy to see if 
Ihey are valid When the user details are stored on die Directory, die user can dien redial 
into die system usiz^ dieir new numb^ or password i^cfa aOows the user to access die 
systen widi at the level of service diat diey have specified 35. If die registration details are 
not valid, die system will not allow die user access and will register diat diere has been a 
log on fiolure 36. 

Id die case of a cable modem subscriber as shown in figure 7, die user connects into 
die system via a set-top box 37. Hie set-top box makes die DHCP request to the DHCP 
server ^ch looks in die Directoiy to see if MAC addresses have been assigned to a 
provisicHied user 38. If die MAC address/s^al ID of die uiser is identified 3, die DHCP 
server r^mns die IP address and name of die TFTP file containing set-tc^ box 
configuration settings to die set-tq) box 40, which retrieves diem fiom die TFTP si^v^. 
The set-top box dien configures itself using die TFTP file to provide die user widi die levd 
of sendee diat diey requested using die user profile 42. If die Mac address/serial ID is not 
identified, a provisicHial IP is assigned to die set-top box cable modem and die user is 
presented widi a registration screen 43 . The user can Him enter dieir registration details and 
if diese are valid, user details axe stored in die Directory and a set top MAC address/ serial 
number is associated with the user 45. Hie user can dien use die allocated MAC 
address/serial ID to log onto die system viien diey restart die set-top box. If die registration 
details are not found to be valid alog on failure will be registered 

Hie audientication process attenq)ts to verify die entities diat are attenq>ting to Ipg 
onto die network. Hiere may be two levels of audientication for exatqple "weak 
audientication** where say die user name and password is checked, or ^strong 
audientication" where say a digital certificate request is made to a smart card or a finger- 
print scan takes place. The levd of audienticatioQ may be demanded as a fimction of die 
access mediod, the service requested or die geography of die user. Once an entrtjr has been 
audienticated» die system then detomines i^edier die proven essOty is audiorised to use die 
requested s^ce. 
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Authorisation is an ongoing process which handles authorisation to use a 
service. Before delivOTng the requested service, the application must first recdve the 
necessary clearance for that entity. To determine v/indi response to make, the 
application assesses parameters sudi as the enti^s base profile phis any profile 
extensions, the entity's network access method eg. via a dial-in ISP request, dialnmi 
direct to RAS request, LAN request, geographical location of the entity of the time of 
access. The primary parameter is the entity's profile phis any profile extensions. 
Authorisation wiD only be ^en if the entity has been explicitly r^stered to use a 
particular service. Provided approval is given to the application to grant a service 
request, the application m^ then proceed to the actual delivery of the service to the 
entity. Entity-service assodation is then said to be completed. 

Service-infiastiucture assodation then occurs which involves configuraticm of 
items of the infrastructure specified by the sa^ce m a way that provides the splice to 
the requesting entity. The item, (sudi as the DHCP server) configures itself in a 
manner vAAdx is spedfic to that object. Th^e are two types of infi:astructure 
configuration, the first where me is allowed by the entity and the second vdiere use is 
denied to the entity. 

The APS provides user/administration interfiices for a range of fiinctional areas 
such as registration, report/query, administration, IP configuration, DNS management, 
YPD management and security management The APS supports the creation of user 
inter&ces u^g tedmologjes sudi as the Browser inter&ces, application internees and 
usa* defined interfeces. The HTML for display by the Browser is graerated or stored on 
a web server and is served to the user via HTTP protocols. HTML is platform 
independent and HTTP ports are generally available through firewafls. APS support for 
HTML is achieved by uai^ an HTML adaptor contained within the Story Processor 
that runs on the web server. The Story Processor HTML adaptor handles data 
submitted via and HTML interfece and also delivers HTML interfeces. The Story 
Processor then converts requests for service from inter&ce spedfic format into a 
generic format whidi is passed to the service manager layer. 

Although the APS system provides for the use of standard raterfaces, it is also 
possible for organizations to build their own inter&ces or to use existing inter&ces that 
the; organisation is already using but^vtdiich .are adq)ted by the APS system of the 
invention. APS inter&ces ^ch may be customized are IP configurations, security 
management and VPD or domain management. APS interfeces which support partial 
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customisation eg. use of conq)ai]y specific logos or bacl«s;round images on standard 
APS inter&ces are: 

HTML based VPD intafeces 

HTML based Re^stration inter&ces 

HTML based report/query interfeces 

HTML based administration inter&ces 

Partial inter&ce customisation is rrferred to as inter&ce branding. Inter&ce 
branding involves the insotion of a conqpany brand/logo infbrmadon into die HTML' 
frame-sets as headers and/or footers. A virtual ISP m^ buy an ISP service fix>m a 
larger ISP ^cih uses the APS system of the invention. Assunnng all the user details 
are stored and administered using the parent ISP's infiiastructure, any virtual ISP 
subscriber ivishing to check details such as account , details^ would use the parent ISP's 
subscriber account maintenance interfice. To conceal the &ct that they are u^g the 
system, the virtual ISP user could provide as part of tfadr virtual ISP configuration, 
thdr ovtofi logos to customize the HTML inter&ce. 

APS inter&ces ^ch aUow tor complete replacemoot by a customized inter&ce 
are registration mterfiices and HTML based report/query inter&ces. The mechanism 
that allows for organizations to build their own inter&ces are the same programming 
Application Programming Inter&ces (APFs) that can be invoked by standard APS us^ 
inter&ces and these include Service Manager APFs and Story Processor Adaptc»- 
APFs. For^ exanq>leiy an organization may wish to public thdr own registration 
inter&ce using HTML or muhiple HTML p£^es to coDect registration detail Once the 
user has traversed the HTML pages (stories) the data is posted to the HTML adaptor 
which translates the data into an object to pass the S^ce Manager. 

APS inter&ces can provide mt^&ce security to media such as public networks 
or insecure private networks. The APS system does not assume that standard security 
implementations such as firewalls are fidly secure and in:q)lements its own security 
model to provide measures of security required. Security measures that m^ be required 
are data confidentiality, data int^rity, auth^cation and non-^repudiation. 

The APS unplements security measures using Secure Sodkets Layers (SSL) 
wbidi secure transmissions over networks and create secure sodcet cormections 
between a us^ and a server. SSL supports multiple cryptographic techniques for 
example, RC2 or RC4 encryption with a4(>-bit key, RC4 encryption witii a 128-bit key 
and a MD5 MAC, triple DBS encryption witii a 168-bit key and a SHA-1 MAC, RC2 
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and RC4 racryption with a 40-bit key and a MD5 MAC and no encryption with an 
MD5 MAC. 

The APS allows the administrators to sdect the type of security appropriate for 
an information exchange, for example wheth^ credit card details are to be acquired for 
a usa: or x^etfaer data integrity is important* Further, dififerent levels of security may be 
provided for according to the entity type, access method, service requested or the 
geography of the user. For example^ a mobile employee connectmg to a LAN from 
abroad would require greater authentication to use a network than an internal employee 
who is connecting direcdy to the LAN, Selection of the type of security has system 
performance implications in terms of CPU processing, public key ciyptography and for 
example, 3-way CHAP authentication involves more network trafSc than 2-way PAP. 
The APS system of the mvention gives the APS administrator the flexibility to select 
the security technique that is appropriate to the performance of the system. 

Figure 8 shows a schematic figure of a multi service enterprise structure in 
which the APS system uses the directory to link a phnality of DHCP configured 
workstations wfaidi are in turn linked to a number of servo^ including a mail server, 
Intemet server and application savor. 

I4gure 9 shows a schematic figure which is similar to that shown in figure 8 
except that it shows a multi service ISP infi'astructure. Rather than having a number of 
DHCP configured workstations as shown in figure 8, figure 9 shows a system where 
individuals can have access via a modem, cable modem or set top box, corporate 
firewall or VPN to the APS controlled systent 



1. An automated provisiozusg system adapted to use an LDAP or X.500 
compatible directory enabled information repositoiy, the system comprising a sendee 
manager adapted to inter&ce with the information repository and components of a 
distributed electronic system, M^erein the mformarion repo^ry conq>rises a scalable 
data model, ^erdn the service manager is adapted to log on to a directoiy and 
interacts therewith to create;, delete, amend and/or search for informatioh in the 
information repository and wherein the data model comprises domains, x^^ch domains 
comprise object types of users, services, profiles and infiBstructure^ 

and ^erdn the data model conq>rises configuration objects, i^ch objects comprise 
one or more of a profile service configuration object, a user service configuration 
object and a service mfiastructure configuration object, 

such that a user is asidgned to a profile^ wfaidi profile is ad^ed to access a plurality of 
services^ whidi services run on infrastructure* 

2. An automated provisionii^ system according to Claim 1, wherein a user service 
configuration object configures use of the service ^en assodated with a particular 
user, a profile service configuration object configure aspects of the service vAesx 
assodated vnih a particular profile and service infirastructure configuration object 
configures aspects of the service when associated with a particular {nece of 
infiastructure. 

3. An automated provisioning system according to Claim 1 or Claim 2, in \^ch a 
user is asagned a plurality of profiles which profiles comprise a plurality of services. 

4. An automated provisiomng system according to any one of Claims 1 to 3, 
wherdn the domain contains sub-domains. 
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